Recently, Google announced that their Chrome browser will start marking websites that use HTTP connections as insecure. Specifically, any sites that transmit passwords, credit card, or other potentially sensitive information will be marked as insecure to the site’s visitor if they are not accessing the site over a secure HTTPS connection. Eventually, they will issue the warning to all sites that are served over HTTP. What that means for site owners – especially WordPress site owners – is that you need to have an SSL certificate installed on your site by the end of 2016 as this change will roll out in January 2017. The good news is it’s really easy to install free Let’s Encrypt SSL certificates on WP Engine.
Why the push for SSL?
SSL is what banks, e-commerce sites, and any other site that collects private information (think usernames, passwords, credit card numbers, email addresses, phone numbers, etc.) use to encrypt the data that is being transmitted from your browser to the website, or third party service collecting that information. This makes it harder for hackers or other third parties from intercepting the sensitive information after it is submitted to your website.
Google, and a number of other companies are pushing for a more secure internet. Publishing a warning that the site you’re visiting is being served over an insecure connection will help get that done.
How to install Let’s Encrypt SSL certificates on WP Engine
Update: I was just informed by WP Engine’s support staff that Let’s Encrypt is not available for all customers yet, but should be rolled out to everyone by the end of 2016.
If your site isn’t already using one of WP Engine’s SSL certificates, you can easily add a free Let’s Encrypt SSL certificate to any site you have hosted on WP Engine.
First, you’ll need an account on WP Engine. It takes less than an hour to move most sites to their hosting service, and I highly recommend it. Once your site is fully hosted there, you’re about two and a half minutes away from installing a free SSL on your site.
On your install overview page, click the SSL link on the left hand menu.
Click the Add SSL Certificates button to the right.
Find the Get free Let’s Encrypt certificates option, and click the button to continue.
The next page will show you all of the domains you have pointed to that install. If you have www.example.com, and example.com pointed to the install, both will show up here. If you’re using a multisite setup with domain mapping, you’ll see all of the domain variations you have set to point to this install. Note: multisite networks that use subdomains and allow visitors to register their own site may not work well with Let’s Encrypt. However, WP Engine has an affordable wildcard certificate available as well.
Check the boxes next to all of the domains you want secured with this SSL. I’d recommend checking all of them.
Next, read the terms and conditions, check the box and click the Request SSL Certificate button.
The process to generate an SSL certificate for your site is fairly quick – I timed one site and it took less than two and a half minutes from start to finish.
If you were previously using another SSL certificate (many of my sites were using Cloudflare’s free SSL), you will want to disable any plugins that may be forcing SSL on your site’s pages. Plugins like WordPress HTTPS, or even Cloudflare’s plugin may cause too many redirect issues after the next few steps.
When your SSL certificate is ready to use, you’ll see the status change from pending to enabled on the site’s SSL page on your WP Engine account. Like I mentioned earlier, this is a fairly quick process. Go grab a coffee, and it should be ready by the time you get back.
On the settings section, check both boxes in the WordPress admin pages section. Also, select the Allow non-SSL configured pages to use https:// option, and click Save. Finally, in the SSL certificates section expand the site that has Secure specific URLs in the status column. Make sure the Auto Renew box is checked, and select the Secure all URLs option. Then save your changes.
Finally, if you have any other URLs listed (i.e. the www version of your domain), expand them and make sure they are set to auto renew as well.
The auto renew option is important because Let’s Encrypt certificates only are good for three months. Unless you want to go through and renew your certificates manually four times per year for each site you have hosted on WP Engine, it’s best to auto renew.
Everything should be working fine now, but you will want to make sure your site is being displayed correctly. Some images, links, or plugins may have insecure links (i.e. http:// instead of https://). When you visit your site, you should see the green HTTPS or a green padlock icon in the address bar. If HTTPS is yellow, red, or grey, you may have some insecure content on the page.
Using Chrome, press F12, or right click the page and select the inspect option. Click the security tab, and under Secure Resources find anything that may not be using a secure link.
I have found that a lot of times links to images are the culprit. An easy fix is to use a plugin like Better Search Replace to swap out the old http:// URL for the new https:// URL.
Simply enter the full http:// URL of your domain without the trailing slash in the find box (http://yoursite.com), and enter the https:// URL in the replace box (https://yoursite.com). This will scan your database for all instances of the http:// domain and replace it with the https:// version.
Be sure that you don’t just enter http: in the find and https: in the replace, as some links on your site may be to external sites with no SSL certificate (shame on them). You may end up sending visitors to the wrong URL.